商业编程-源码-Windows NT 2000中以用户系统级安全上下文方式创建进程的源代码.zip

// CreateProcessAsUserSystem.cpp (Windows NT/2000) // // This example will show how you can create a process // in the context of the user 'SYSTEM' // // // (c)1999 Ashot Oganesyan K, SmartLine, Inc // mailto:ashot@aha.ru, http://www.protect-me.com, http://www.codepile.com #include <windows.h> #include <tchar.h> #include <stdio.h> #pragma pack(1) typedef struct { BYTE mov_eax; LPVOID address; WORD jump_eax; } ASMJUMP, *PASMJUMP; BOOL SetPrivileges(HANDLE hprocess, LPTSTR privilege, BOOL bSwitch); HANDLE hParentProc; DWORD dwFunc; // Haked NtCreateProcess void __declspec(naked)HackedNtCreateProcess() { _asm { // Change parent process handle mov eax,hParentProc mov dword ptr [esp+16],eax // NtCreateProcess value depends on version mov eax,dwFunc // Load parameters table lea edx,dword ptr [esp+4] // Call the interrupt int 2Eh // return retn 20h } } void PrintWin32Error( char *message, DWORD error ) { char *errMsg; FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, NULL, error, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPTSTR) &errMsg, 0, NULL ); printf("%s: %s\n", message, errMsg ); LocalFree( errMsg ); } int main(int argc, char* argv[]) { printf("\nSysProc for Windows NT/2000 FREEWARE\n"); printf("Creates a process in the context of the SYSTEM\n"); printf("(c)2000 SmartLine Inc. http://www.protect-me.com\n\n"); if (argc<2) { _tprintf(TEXT("Usage:\n\t sysproc.exe <program name>\n")); return -1; } if (!SetPrivileges((HANDLE)-1,SE_DEBUG_NAME,TRUE)) { PrintWin32Error("SetPrivileges failed",GetLastError()); return -1; } UINT uSysProcId; switch(LOBYTE(LOWORD(GetVersion()))) { case 3: uSysProcId = 0x02; dwFunc = 0x1E; break; case 4: uSysProcId = 0x02; dwFunc = 0x1F; break; case 5: uSysProcId = 0x08; dwFunc = 0x29; // 0x2A - for W2K beta; break; } // Trying to get a handle to the system process hParentProc = OpenProcess(PROCESS_CREATE_PROCESS,TRUE,uSysProcId); if (!hParentProc) { PrintWin32Error("Could not open system process",GetLastError()); return -1; } PASMJUMP NtCreateProcessHook = (PASMJUMP) GetProcAddress( GetModuleHandle(TEXT("ntdll.dll")), "NtCreateProcess"); if (NtCreateProcessHook==NULL) { PrintWin32Error("Could not get procedure address",GetLastError()); return -1; } // Enable write acess to VM MEMORY_BASIC_INFORMATION mbi; VirtualQuery(NtCreateProcessHook,&mbi,sizeof(MEMORY_BASIC_INFORMATION)); DWORD dw; VirtualProtect(mbi.AllocationBase,mbi.RegionSize, PAGE_EXECUTE_READWRITE,&dw); // Redirect call to HackedNtCreateProcess : // // mov eax,HackedNtCreateProcess // jmp eax NtCreateProcessHook->mov_eax = 0xB8; NtCreateProcessHook->address = HackedNtCreateProcess; NtCreateProcessHook->jump_eax = 0xE0FF; // Call modified CreateProcess PROCESS_INFORMATION pi; STARTUPINFO si; ZeroMemory(&pi,sizeof (PROCESS_INFORMATION)); ZeroMemory(&si,sizeof (STARTUPINFO)); si.cb = sizeof(STARTUPINFO); if (!CreateProcess(NULL,argv[1], NULL, NULL, FALSE, 0,NULL,NULL, &si, &pi)) { PrintWin32Error("Could not create process",GetLastError()); return -1; } CloseHandle(pi.hThread); CloseHandle(pi.hProcess); return 0; } BOOL SetPrivileges(HANDLE hprocess, LPTSTR privilege, BOOL bSwitch) { HANDLE hToken; LUID DebugValue; TOKEN_PRIVILEGES tkp; if (!OpenProcessToken(hprocess, TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) goto err; if (!LookupPrivilegeValue((LPTSTR) NULL, privilege, &DebugValue)) goto err; tkp.PrivilegeCount = 1; tkp.Privileges[0].Luid = DebugValue; if (bSwitch) tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED | SE_PRIVILEGE_ENABLED_BY_DEFAULT | SE_PRIVILEGE_USED_FOR_ACCESS; else tkp.Privileges[0].Attributes = NULL; AdjustTokenPrivileges(hToken, FALSE, &tkp, sizeof(TOKEN_PRIVILEGES), (PTOKEN_PRIVILEGES) NULL, NULL); if (GetLastError() != ERROR_SUCCESS) goto err; return TRUE; err: return FALSE; }